Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1631005pxp; Thu, 17 Mar 2022 13:08:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwjs6EEnTASmojya2zBreglXzpFzQOaKqZ/Wf+Hndlb1C+Nv8TsXMJb60S+w/wKp94eVz/y X-Received: by 2002:a63:31cf:0:b0:382:2647:d3a9 with SMTP id x198-20020a6331cf000000b003822647d3a9mr1142868pgx.306.1647547695735; Thu, 17 Mar 2022 13:08:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647547695; cv=none; d=google.com; s=arc-20160816; b=p6xpyI79bz+dGG9VTK4yn4VZZQEkBBQttMwRmJ0jDwXzaY1b4VLCsFpYqnFGHSLOXo VrLwc+nA+Cm3ZgkYjlgDOboLafU5BUt8V8231/C2Ruwb0nbPnQWWqDxqvUIgJCCCKijx Ul0bRhxVnKHFF8cT41PejbMMAMuh37mNyEg1AZ8TnDmcbrAFH1ECnhgEXDbmbX3nRUb3 mS7gNgMfX11Ux4U2y5lS5tKlgvwyIXL6As7DKMuJLUfDW1+qckhteN82WkD2PX7WOFNC Qix7QIqZrkqkXMpN58HGSJNM/CEB1+ZTDQp2JS6Fc1NWGEgD9ypDrCiOyJi6+hpFtIdk C0Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=oXxajodOegFpu3qLtW7meKAMsmhaC7A4cIBe9jeyyy8=; b=XGf1M14WO/lfSMBvkNgKNC+x5OqTpu9+erYvpadZJpMM9+SjF6Lljc7cHvTY/vnIVz ugRFfL8HmHuwSVgu10g9HJd93SS35L67On5b70TuF5xJ9gylhpcFxGKn6R8cyKFbYELp KLSK9YkZLOCOx7HGomNgCtMkJJ8Xx73nGohU6sh666Tkr+BpARNQfsgRN7q2dIImcwDu guKc5n0rXQ3m7Ha/dV3dJYoHUSKweEkBxDh5jFUn6zNuRK0AkzXMXvdFJdGf85sqiBAa vlQnWOXAR4ftlA5WhnVEMNT44dvx1gYEjrJnKf7HV5wScyrUoYYGqP1njv6VUAA+bFAU U0cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=T1CXfgoL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id 28-20020a63115c000000b00381f29f71cbsi2890896pgr.425.2022.03.17.13.08.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 13:08:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=T1CXfgoL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C08682921E1; Thu, 17 Mar 2022 12:55:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237149AbiCQSn3 (ORCPT + 99 others); Thu, 17 Mar 2022 14:43:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60898 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237534AbiCQSn0 (ORCPT ); Thu, 17 Mar 2022 14:43:26 -0400 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A249D21351F; Thu, 17 Mar 2022 11:42:08 -0700 (PDT) Received: by mail-ej1-x62f.google.com with SMTP id p15so12605081ejc.7; Thu, 17 Mar 2022 11:42:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=oXxajodOegFpu3qLtW7meKAMsmhaC7A4cIBe9jeyyy8=; b=T1CXfgoLZaxde5dXFF4LTNE2qLUFot42LriRrOoKQgCswwyNCHb6anbnIZ/6Gvsqb4 vmwMIhiVo7o5dlgWLclkHWo/VuqWp19QoWTUmVOdLyIxFs2qubQmR/wJrqOAKwyizCL+ GGzDyV6Y04zs11XcJL8FLm0IQ9NUA3LGAErmZxba7krGizP2TtvcI4V+tiiAnL/g+7W0 d+8z/Secp8G0iFoukRBbcCkDVfxNZCfccCC9S8ASJzhefj5KjNmOHKTUnNxGoP4ngWZF r3cuM+OGw1wWW+5g6LlM+EWzfDWy9Hebr25O9RlbPEtwvSJuDR9VyCV6u6zY+YSfZRsA Nm7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=oXxajodOegFpu3qLtW7meKAMsmhaC7A4cIBe9jeyyy8=; b=Pq+518DrjBvpisgbmB8BX2gm/2NV/YBAowaMRFWFCDqDpcnuvVZvNaJgmm2u/yQ/KQ ZhTNbvb+KzcfZaGiktxcVDH9Ysr23IGQCf9WHjzlFpcawbn0umrY982T6IswMybPHPkC GAIoeeC4AHU7XwsInYRk4NX/K0dk2GWTSNVdKHF8jbpFbdpUAZPNJCV7LYofGwW0EVkb iJWab+we3B4fOrGMty5w2X3kivS0qRbCajApdOiyBFh8nZoEK+KYVhLy+s5nUsy87Q2N IVno8VSllqUK6uiKJpRtdCE1Bxf/Cv2ME1Li1MmFvl+obeR7kft3ETEWKQUvi2rntSnj s/ww== X-Gm-Message-State: AOAM530srT1KQPzcwCDBMjHErZDumb5LKJjHQzJGyxsfBuR8s+za7MX9 SWGgJxG2vSC4L1jKnHimm/I= X-Received: by 2002:a17:906:d54f:b0:6df:a9d8:cbaa with SMTP id cr15-20020a170906d54f00b006dfa9d8cbaamr1943701ejc.183.1647542526979; Thu, 17 Mar 2022 11:42:06 -0700 (PDT) Received: from skbuf ([188.26.57.45]) by smtp.gmail.com with ESMTPSA id w14-20020a170906d20e00b006cee22553f7sm2780238ejz.213.2022.03.17.11.42.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 11:42:06 -0700 (PDT) Date: Thu, 17 Mar 2022 20:42:04 +0200 From: Vladimir Oltean To: Hans Schultz Cc: Florian Fainelli , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org Subject: Re: [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Message-ID: <20220317184204.wehqmziioscdz33t@skbuf> References: <20220310142320.611738-1-schultz.hans+netdev@gmail.com> <86o825htih.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86o825htih.fsf@gmail.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 17, 2022 at 09:29:10AM +0100, Hans Schultz wrote: > On ons, mar 16, 2022 at 17:18, Florian Fainelli wrote: > > On 3/10/2022 6:23 AM, Hans Schultz wrote: > >> This patch set extends the locked port feature for devices > >> that are behind a locked port, but do not have the ability to > >> authorize themselves as a supplicant using IEEE 802.1X. > >> Such devices can be printers, meters or anything related to > >> fixed installations. Instead of 802.1X authorization, devices > >> can get access based on their MAC addresses being whitelisted. > >> > >> For an authorization daemon to detect that a device is trying > >> to get access through a locked port, the bridge will add the > >> MAC address of the device to the FDB with a locked flag to it. > >> Thus the authorization daemon can catch the FDB add event and > >> check if the MAC address is in the whitelist and if so replace > >> the FDB entry without the locked flag enabled, and thus open > >> the port for the device. > >> > >> This feature is known as MAC-Auth or MAC Authentication Bypass > >> (MAB) in Cisco terminology, where the full MAB concept involves > >> additional Cisco infrastructure for authorization. There is no > >> real authentication process, as the MAC address of the device > >> is the only input the authorization daemon, in the general > >> case, has to base the decision if to unlock the port or not. > >> > >> With this patch set, an implementation of the offloaded case is > >> supplied for the mv88e6xxx driver. When a packet ingresses on > >> a locked port, an ATU miss violation event will occur. When > >> handling such ATU miss violation interrupts, the MAC address of > >> the device is added to the FDB with a zero destination port > >> vector (DPV) and the MAC address is communicated through the > >> switchdev layer to the bridge, so that a FDB entry with the > >> locked flag enabled can be added. > > > > FWIW, we may have about a 30% - 70% split between switches that will > > signal ATU violations over a side band interrupt, like mv88e6xxx will, > > and the rest will likely signal such events via the proprietary tag > > format. > > I guess that the proprietary tag scheme a scenario where the packet can > be forwarded to the bridge module's ingress queue on the respective > port? I'm not sure what you mean by forwarding to the bridge module's ingress queue. I expect that both cases of drivers to interact with the bridge in the exact same way, expect one of them calls call_switchdev_notifiers() from an interrupt context, and the other from NET_RX softirq context, from the tagging protocol driver (ok, maybe not directly, it depends upon whether we need rtnl_lock which sleeps, things like that). I might be just projecting based on what I know, but the way I interpret what Florian has said is by thinking of "learn frames" as described here: https://patchwork.kernel.org/project/netdevbpf/cover/20220209130538.533699-1-schultz.hans+netdev@gmail.com/#24734685 The advantage of signaling ATU misses or membership violations via learn frames is that you have a much wider toolbox of mitigations for denial of service. Instead of one ATU interrupt per packet, you have NAPI on the DSA master, interrupt coalescing, policers on the DSA master, rate limiting for learn frames in the switch...